> On 5 Nov 2025, at 18:36, Pedro Sampaio <[email protected]> wrote: > > On Wed, Nov 5, 2025 at 1:29 PM Art Manion <[email protected] > <mailto:[email protected]>> wrote: >> On 2025-11-05 05:30, Peter Gutmann wrote: >> > The problem is that individuals can't be CNAs, which means you'd need to do >> > something like going through the cost and overhead of setting up a shell >> > corporation or similar to meet the checkbox requirement that an individual >> > can't be a CNA but the same individual fronted by a paper entity can. >> > >> > Does anyone know what the thinking behind this is? It excludes any OSS >> > project that doesn't have some entity fronting it from being a CNA. If by >> > "major" you mean "lots of people involved in the project" then there are >> > probably entities fronting them but if you mean "lots of users and >> > critical to >> > Internet operation" then see the famous xkcd cartoon, and that person >> > can't be >> > a CNA. >> >> I believe that there are no strict requirements to be a non-individual legal >> entity and that in practice, a somewhat informal "project" can be a CNA. >> >> Individuals as CNAs are rare, but here is one: >> >> https://www.cve.org/partnerinformation/ListofPartners >> >> - Art >> >> > > > Although there isn't a requirement for a legal entity, the operational side > of a CNA requires more than one person to manage. > > One example is that different points of contact are required for > communication between us and the CNA so we always have a way to reach it. > Another one is that the CNA will be handling its organization's user base in > CVE Program's systems, and that requires redundancy so the CNA would not be > stuck in case a member leaves. > > This and other good practices may be what prevents 'individuals' CNAs from > being accepted in favor of teams. It should not be a one person endeavor.
I think there are very few one person projects that have knowledge, time and resources to operate a CNA. But I am beginning to realise that we need some sort of “Community CNA” operating in an open way, being able to register a scope for projects and help them out. For our project I realise that the current situation (considering the discussed CVEs) does not work, it hurts us. But we have no resources to operate a full CNA. A “community driven CNA” is well worth considering. /O
